diff --git a/apps/emqx_dashboard/include/emqx_dashboard.hrl b/apps/emqx_dashboard/include/emqx_dashboard.hrl
index a4b53ffdc..8ebb4d3d5 100644
--- a/apps/emqx_dashboard/include/emqx_dashboard.hrl
+++ b/apps/emqx_dashboard/include/emqx_dashboard.hrl
@@ -23,11 +23,7 @@
 -define(ROLE_VIEWER, <<"viewer">>).
 -define(ROLE_SUPERUSER, <<"superuser">>).
 
--if(?EMQX_RELEASE_EDITION == ee).
--define(ROLE_DEFAULT, ?ROLE_VIEWER).
--else.
 -define(ROLE_DEFAULT, ?ROLE_SUPERUSER).
--endif.
 
 -record(?ADMIN, {
     username :: binary(),
diff --git a/apps/emqx_dashboard/src/emqx_dashboard_admin.erl b/apps/emqx_dashboard/src/emqx_dashboard_admin.erl
index c0fe63523..06dac9a01 100644
--- a/apps/emqx_dashboard/src/emqx_dashboard_admin.erl
+++ b/apps/emqx_dashboard/src/emqx_dashboard_admin.erl
@@ -405,7 +405,7 @@ ensure_role(Role) when is_binary(Role) ->
 
 -if(?EMQX_RELEASE_EDITION == ee).
 legal_role(Role) ->
-    emqx_dashboard_rbac:legal_role(Role).
+    emqx_dashboard_rbac:valid_role(Role).
 
 role(Data) ->
     emqx_dashboard_rbac:role(Data).
diff --git a/apps/emqx_dashboard/src/emqx_dashboard_api.erl b/apps/emqx_dashboard/src/emqx_dashboard_api.erl
index b80d73b76..9ed6d1a77 100644
--- a/apps/emqx_dashboard/src/emqx_dashboard_api.erl
+++ b/apps/emqx_dashboard/src/emqx_dashboard_api.erl
@@ -242,7 +242,7 @@ logout(_, #{
     end.
 
 users(get, _Request) ->
-    {200, emqx_dashboard_admin:all_users()};
+    {200, filter_result(emqx_dashboard_admin:all_users())};
 users(post, #{body := Params}) ->
     Desc = maps:get(<<"description">>, Params, <<"">>),
     Role = maps:get(<<"role">>, Params, ?ROLE_DEFAULT),
diff --git a/apps/emqx_dashboard_rbac/src/emqx_dashboard_rbac.erl b/apps/emqx_dashboard_rbac/src/emqx_dashboard_rbac.erl
index 404def669..74f6312ea 100644
--- a/apps/emqx_dashboard_rbac/src/emqx_dashboard_rbac.erl
+++ b/apps/emqx_dashboard_rbac/src/emqx_dashboard_rbac.erl
@@ -6,7 +6,7 @@
 
 -include_lib("emqx_dashboard/include/emqx_dashboard.hrl").
 
--export([check_rbac/2, role/1, legal_role/1]).
+-export([check_rbac/2, role/1, valid_role/1]).
 
 -dialyzer({nowarn_function, role/1}).
 %%=====================================================================
@@ -27,7 +27,7 @@ role([]) ->
 role(#{role := Role}) ->
     Role.
 
-legal_role(Role) ->
+valid_role(Role) ->
     case lists:member(Role, role_list()) of
         true ->
             ok;
diff --git a/changes/ee/feat-11610.en.md b/changes/ee/feat-11610.en.md
index 0d9cae031..db63d6cc7 100644
--- a/changes/ee/feat-11610.en.md
+++ b/changes/ee/feat-11610.en.md
@@ -1,6 +1,9 @@
 Implemented a preliminary Role-Based Access Control for the Dashboard.
+
 In this version, there are two predefined roles:
 - superuser
+
   This role could access all resources.
 - viewer
-  This role only can access the `GET` resource.
+
+  This role can only view resources and data, corresponding to all GET requests in the REST API.